I'm trying to
kubectl create secret tls foo-secret --key /tls.key --cert /tls.crt
From keys and certs I've used made from LetsEncrypt. This processes makes sense with self-signed certificates, but the files made by LetsEncrypt look like this:
cert.pem
chain.pem
fullchain.pem
privkey.pemI can convert those pem files, I don't know if --key want's a public key or a private key, and the only option here is privkey.pem. I assume cert is cert.
I can convert private.pem with:
openssl rsa -outform der -in privkey.pem -out private.key
And cert.pem with:
openssl x509 -outform der -in cert.pem -out cert.crt
Is this the right process? Since I'll be using this secret for ingress oauth in place of __INGRESS_SECRET__, is this ingress suppose to have a private key? This ingress is acting as a TLS terminator for other things.
You are correct, you will need to provide your private key for the tls.key portion. However it's a good practice to automate the letsencrypt certificate generate process, using cert-manager. Check out this tutorial. Dong so will automatically create the tls secret resource for you on the cluster.
Your tls.key file is the private key and begins and ends like the following:
-----BEGIN RSA PRIVATE KEY-----
... [your private key]
-----END RSA PRIVATE KEY-----And your tls.crt is going to be the concatenation of cert.pem and fullchain.pem, and it will look like the following:
-----BEGIN CERTIFICATE-----
...
[your cert content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
[your fullchain cert content]
-----END CERTIFICATE-----